-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathmain.bicep
120 lines (104 loc) · 3.19 KB
/
main.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
targetScope = 'resourceGroup'
@description('The tag of the image to be used')
@minLength(3)
param imageTag string
@description('The environment for the deployment')
@minLength(3)
param environment string
@description('The location where the resources will be deployed')
@minLength(3)
param location string
@description('The name of the container app environment')
@minLength(3)
@secure()
param containerAppEnvironmentName string
@description('The name of the Key Vault for the environment')
@minLength(3)
@secure()
param environmentKeyVaultName string
@description('The cron expression for the job schedule')
@minLength(9)
param jobSchedule string
@description('The connection string for Application Insights')
@minLength(3)
@secure()
param appInsightConnectionString string
var namePrefix = 'dp-be-${environment}'
var baseImageUrl = 'ghcr.io/digdir/dialogporten-'
var tags = {
FullName: '${namePrefix}-sync-resource-policy-information'
Environment: environment
Product: 'Dialogporten'
Description: 'Synchronizes resource policy information'
JobType: 'Scheduled'
}
var name = '${namePrefix}-sync-rp-info'
resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01' existing = {
name: containerAppEnvironmentName
}
resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: '${namePrefix}-sync-rp-info-identity'
location: location
tags: tags
}
var containerAppEnvVars = [
{
name: 'Infrastructure__DialogDbConnectionString'
secretRef: 'dbconnectionstring'
}
{
name: 'Infrastructure__Redis__ConnectionString'
secretRef: 'redisconnectionstring'
}
{
name: 'DOTNET_ENVIRONMENT'
value: environment
}
{
name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
value: appInsightConnectionString
}
{
name: 'AZURE_CLIENT_ID'
value: managedIdentity.properties.clientId
}
]
// Base URL for accessing secrets in the Key Vault
// https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-functions-deployment#example-1
var keyVaultBaseUrl = 'https://${environmentKeyVaultName}${az.environment().suffixes.keyvaultDns}/secrets'
var secrets = [
{
name: 'dbconnectionstring'
keyVaultUrl: '${keyVaultBaseUrl}/dialogportenAdoConnectionString'
identity: 'System'
}
{
name: 'redisconnectionstring'
keyVaultUrl: '${keyVaultBaseUrl}/dialogportenRedisConnectionString'
identity: 'System'
}
]
module migrationJob '../../modules/containerAppJob/main.bicep' = {
name: name
params: {
name: name
location: location
image: '${baseImageUrl}janitor:${imageTag}'
containerAppEnvId: containerAppEnvironment.id
environmentVariables: containerAppEnvVars
secrets: secrets
tags: tags
cronExpression: jobSchedule
args: 'sync-resource-policy-information'
userAssignedIdentityId: managedIdentity.id
}
}
module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = {
name: 'keyVaultReaderAccessPolicy-${name}'
params: {
keyvaultName: environmentKeyVaultName
principalIds: [migrationJob.outputs.identityPrincipalId]
}
}
output identityPrincipalId string = migrationJob.outputs.identityPrincipalId
output name string = migrationJob.outputs.name